On a fresh install of CentOS 6.9 with all updates, i can mount NFS with UDP protocol and run `rpcinfo -u 10.3.255.234 nfs 3`, the answer is "program 100003 version 3 ready and waiting". I can mount any NFS export over UDP without any problem.

However, when it comes to TCP, any mount attempt hangs 3 min then times out. Same for `rpcinfo -t 10.3.255.234 nfs 3`. I have several other servers with CentOS 6.9 with all udpates, they can mount NFS over TCP without any problem, and run rpcinfo -t and -u, they get positive answers. They are not fresh install.

I can observe the following behaviors on the faulty clients:

1. no layer 4 protocol option: we see that even the UDP attempt times out

I looked a bit at traffic. The working client gets an answer from portmapper, then asks to mount "/vol/vol_testunix". If i search for this string in the fresh installed server, I don't find it, but the portmapper answer is present.

I tried fresh install CentOS 6.9 on 2 different servers with different hardware, both time out with NFS over TCP.

This is not a permission problem. If I spoof the faulty IP with a working server, I can mount over TCP without any problem.

The NFS server is a NetApp filer, so I don't have full control on it. If I nmap it from non-working server, i see NFS and rpcbind ports open.

I suspect the default configuration on client side. iptables and ip6tables are flushed and disabled. IPv6 is not used at all. rpcbind, portmapper, mountd, lockd, statd, nfs services are running. rpcinfo on localhost displays "portmapper", "status" and "mountd" for both tcp and udp.

Our CentOS host and our NetApp server were not the problem. We have an HP switch (HP1820-48G J9981A) with a security protection against invalid TCP flags attacks. I don't have time to analyze my captures further right now, so I still don't know what exactly is triggering this protection.

All queries reach the NetApp server, all authorizations are given, then the last sync query from the client was dropped by the switch.

I cannot pastebin a pcap capture as it contains sensitive information about my company. If I have time to analyze it on my free time, I will give more information on this thread.